On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi <luca.bocca...@gmail.com> wrote: > On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote: >> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.bocca...@gmail.com> >> wrote: >> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: >> >> Source: libvdpau >> >> Severity: important >> >> Tags: security, fixed-upstream >> >> >> >> Hi, >> >> >> >> the following vulnerabilities were published for libvdpau. >> >> >> >> CVE-2015-5198[0]: >> >> incorrect check for security transition >> >> >> >> CVE-2015-5199[1]: >> >> directory traversal in dlopen >> >> >> >> CVE-2015-5200[2]: >> >> vulnerability in trace functionality >> >> >> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream >> >> release. >> >> >> >> If you fix the vulnerabilities please also make sure to include the >> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. >> > >> > Hello Alessandro, >> > >> > Thanks for the heads-up! >> > >> > Vincent, Andreas, >> > >> > I have updated the libvdpau git repo with the new release [1]. I have >> > tested the amd64 and i386 packages in Jessie, and they seem to work just >> > fine with vdpauinfo and VLC. >> > >> > Could you please review and do a new upload, when you have time? >> > >> > Thanks! >> > >> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. >> >> Uploaded, thanks! I'll make a note to myself to update the package in >> jessie-backports as well. Luca, let me know if you need a sponsor for >> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I >> don't know if these CVEs warrant a DSA, so ping the security team >> first with a source debdiff and see what they say, and if they say no >> then ping the release team instead); thanks for taking care of updates >> for stable/oldstable/oldoldstable! > > Hello Vincent, > > Thanks for uploading 1.1.1! > > I have pushed to the git repo the backported changes for jessie [1] and > wheezy [2]. Alessandro confirmed that the Security Team would like to > release a DSA for this [3], so could you please sponsor the upload to > security-master when you have time? I added you to the Uploaders in the > wheezy branch already.
Uploaded to security-master, thanks for preparing these updated packages! It's worth pointing out that adding yourself to uploaders in d/control isn't necessary for security uploads, although I suppose it doesn't actually make any difference either way. I'll take a look at the squeeze-lts update next. Regards, Vincent